From 69f12867532311b3d22da82f5186d8479447c960 Mon Sep 17 00:00:00 2001 From: ivababukova Date: Mon, 30 Oct 2023 10:00:11 +0100 Subject: [PATCH 1/2] Move the pipeline to OIDC Signed-off-by: ivababukova --- .ci.yaml | 29 ----------------- .github/workflows/ci.yaml | 16 +++++----- ci-role-pipeline-cf.yaml | 66 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+), 36 deletions(-) delete mode 100644 .ci.yaml create mode 100644 ci-role-pipeline-cf.yaml diff --git a/.ci.yaml b/.ci.yaml deleted file mode 100644 index 523fbf47..00000000 --- a/.ci.yaml +++ /dev/null @@ -1,29 +0,0 @@ -ci-policies: - - PolicyName: "get-ecr-auth-token" - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "ecr:GetAuthorizationToken" - Resource: "*" - - - PolicyName: "manage-ecr-contents" - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - "ecr:BatchCheckLayerAvailability" - - "ecr:GetDownloadUrlForLayer" - - "ecr:GetRepositoryPolicy" - - "ecr:DescribeRepositories" - - "ecr:ListImages" - - "ecr:DescribeImages" - - "ecr:BatchGetImage" - - "ecr:InitiateLayerUpload" - - "ecr:UploadLayerPart" - - "ecr:CompleteLayerUpload" - - "ecr:PutImage" - - "ecr:CreateRepository" - Resource: !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/pipeline" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0c56ab05..d4f08d68 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,6 +20,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + id-token: write + contents: read + jobs: is-safe-to-run: name: Sensitive jobs are safe to be run @@ -194,12 +198,11 @@ jobs: echo "tag=refs-heads-master-$BASE_SHA" >> $GITHUB_OUTPUT fi - - id: set-up-creds + - id: setup-aws name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v2 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-pipeline aws-region: ${{ secrets.AWS_REGION }} - id: login-ecr @@ -308,10 +311,9 @@ jobs: - id: setup-aws name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v2 with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-pipeline aws-region: ${{ secrets.AWS_REGION }} - id: login-ecr diff --git a/ci-role-pipeline-cf.yaml b/ci-role-pipeline-cf.yaml new file mode 100644 index 00000000..b3cd3a9a --- /dev/null +++ b/ci-role-pipeline-cf.yaml @@ -0,0 +1,66 @@ +# Used during CI builds for AWS access +# Deploy this once for every AWS account you want the build to have access to +AWSTemplateFormatVersion: "2010-09-09" +Description: Set up API role using Github OIDC for workflow permissions + +Resources: + Role: + Type: AWS::IAM::Role + Properties: + RoleName: ci-role-pipeline + MaxSessionDuration: 7200 + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRoleWithWebIdentity + Principal: + # Make sure that the OIDC provider is set up in the AWS account. + # Uncomment and deploy the commented out GithubOidc Resource below if this is not the case. + # Replace with the ID of the AWS Account the CI workflow needs access to. + Federated: arn:aws:iam:::oidc-provider/token.actions.githubusercontent.com + Condition: + StringEquals: + token.actions.githubusercontent.com:aud: sts.amazonaws.com + StringLike: + # Change the placeholder below when deploying the template + token.actions.githubusercontent.com:sub: repo:/pipeline:* + Policies: + - PolicyName: "get-ecr-auth-token" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "ecr:GetAuthorizationToken" + Resource: "*" + - PolicyName: "manage-ecr-contents" + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "ecr:BatchCheckLayerAvailability" + - "ecr:GetDownloadUrlForLayer" + - "ecr:GetRepositoryPolicy" + - "ecr:DescribeRepositories" + - "ecr:ListImages" + - "ecr:DescribeImages" + - "ecr:BatchGetImage" + - "ecr:InitiateLayerUpload" + - "ecr:UploadLayerPart" + - "ecr:CompleteLayerUpload" + - "ecr:PutImage" + - "ecr:CreateRepository" + Resource: !Sub "arn:aws:ecr:${AWS::Region}:${AWS::AccountId}:repository/pipeline" + +# This part is only required if Github OIDC is not already set up in the AWS account +# as an Identity Provider. Uncomment to deploy if needed. + # GithubOidc: + # Type: AWS::IAM::OIDCProvider + # Properties: + # Url: https://token.actions.githubusercontent.com + # ClientIdList: + # - sts.amazonaws.com + # ThumbprintList: + # - 6938fd4d98bab03faadb97b34396831e3780aea1 + # - 1c58a3a8518e8759bf075b76b750d4f2df264fcd From e2d963961187ed98b9f5754eda4f506c47a3900b Mon Sep 17 00:00:00 2001 From: ivababukova Date: Tue, 7 Nov 2023 17:05:01 +0100 Subject: [PATCH 2/2] use v4 version of configure-aws-credentials Signed-off-by: ivababukova --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d4f08d68..80d7b78c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -200,7 +200,7 @@ jobs: - id: setup-aws name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-pipeline aws-region: ${{ secrets.AWS_REGION }} @@ -311,7 +311,7 @@ jobs: - id: setup-aws name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 + uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ci-role-pipeline aws-region: ${{ secrets.AWS_REGION }}